[00:01.360 --> 00:09.080]  Hi everyone! In this presentation, we will tell you about our experiences about IoT hacking.
[00:09.380 --> 00:16.300]  I will also mention the weakness and misconfiguration that we have identified and can be
[00:16.300 --> 00:26.280]  detected. But firstly, I want to talk about myself. When I look at myself in general,
[00:26.280 --> 00:35.620]  there are a few keywords I can use about me. These are co-founder, author, speaker, and trainer.
[00:36.520 --> 00:48.280]  So, apart from this, there is not much I can say for myself. And I can say I love Wi-Fi hackers.
[00:51.460 --> 00:55.280]  This place also contains some information about my friends.
[00:55.280 --> 01:03.220]  Since we cannot make the presentation live and we are in different locations,
[01:03.220 --> 01:07.040]  I am the only one giving the presentation right now.
[01:09.810 --> 01:18.730]  Let's start, guys. In IoT hacking research, there is something that everyone is serious about.
[01:19.450 --> 01:27.490]  How should IoT devices be analyzed? What is the methodology? What tools should I use
[01:27.490 --> 01:37.910]  in IoT hacking or research? Many, many, many questions like how can I find weakness in
[01:37.910 --> 01:45.630]  IoT devices? In order to answer these questions, we should be able to look deeply
[01:46.360 --> 01:57.960]  or understand everything correctly. In this context, the first step is to choose the product
[01:57.960 --> 02:05.760]  to be analyzed. In order to do this, we should ask ourselves the following questions.
[02:06.140 --> 02:13.630]  Which industry am I targeting? Which area of the industry I target? For example,
[02:14.450 --> 02:22.730]  your target in the financial sector may be products used in banks. Your target in the
[02:22.730 --> 02:31.550]  health sector may be products used in patient rooms of hospitals. If you ask yourself this
[02:31.550 --> 02:42.770]  question and write down the answer you will have, define your goal. After defining the target,
[02:42.770 --> 02:50.590]  the product must be supplied. There are several solutions for this. You can contact the manufacturer
[02:50.590 --> 02:57.090]  of the target product. You can contact the customer using the target product. You can buy
[02:57.090 --> 03:04.370]  the target product. By using one of these methods, you can contact the manufacturer,
[03:04.370 --> 03:08.630]  developer, or customer to improve security.
[03:10.810 --> 03:20.710]  This is the most important step because now your target industry and target area are certain.
[03:20.710 --> 03:29.210]  You also provided the product. To model this place correctly, we should know
[03:29.210 --> 03:39.050]  that every product has many properties associated with it. Not that these features
[03:39.050 --> 03:46.570]  associated with the product itself can actually be used as an attack point against the product.
[03:46.890 --> 03:54.710]  For this reason, you need to take a piece of paper in your hand and write the feature
[03:54.710 --> 04:04.130]  associated with the product. You can try it yourself for understanding attack surface mapping.
[04:06.710 --> 04:12.310]  Once you have correctly defined the attack points, you will need the necessary hardware
[04:12.310 --> 04:20.670]  and software to perform the associated attack. And as you see, this resource you see in the
[04:20.670 --> 04:27.670]  presentation will be very, very, very helpful for this. You can find a lot of hardware and software
[04:28.240 --> 04:39.490]  in this resource. Finally, after all of them, you can start exploiting the product now.
[04:42.580 --> 04:50.710]  In this presentation, I would like to share the detail of three types and four products.
[04:52.390 --> 05:03.780]  The first is a robotic assistance. I can say about this target, this is a robot assistant
[05:03.780 --> 05:11.360]  and it has target features such as Wi-Fi connection, internet connection, and USB inputs, and
[05:11.360 --> 05:21.660]  you know, and others. And this target and product is used in hospital, restaurant, airport, and
[05:22.180 --> 05:31.720]  in other possible areas. On this product, we found weaknesses such as privilege escalation,
[05:31.720 --> 05:36.440]  hidden admin panel, weak password, unsecured communication, and login bypass.
[05:37.000 --> 05:44.140]  Let's take a closer look at them and understand deeply.
[05:45.880 --> 05:52.220]  This login bypass in this target, you know, usually on the main screen, there are processes
[05:52.220 --> 06:02.420]  related to the service of the device. But remember, there was a keyboard input. When you press a fifth
[06:02.420 --> 06:08.680]  key combination with a keyboard attached here, you can bypass the service screen and access the
[06:08.680 --> 06:18.520]  terminal directly. After accessing the terminal with the previous weakness, we gather the information
[06:18.520 --> 06:28.840]  about the device with the uname-e command. Then we saw that there was a kernel weakness and we
[06:28.840 --> 06:36.980]  increased the authority on the system with the exploit we downloaded from exploit-db.
[06:38.040 --> 06:46.800]  Another feature is the hidden admin panel in this product. You know, clicking on a particular area
[06:46.800 --> 06:54.680]  of the screen multiple times opens this screen. If it is also protected by a weak password,
[06:54.680 --> 07:00.760]  you can directly access it in admin authority. And yes, we did it.
[07:02.480 --> 07:11.020]  As my authority increased on the product, I started to try different things. And in
[07:11.960 --> 07:18.880]  analysis, I saw that the product performed firmware and other software updates with
[07:18.880 --> 07:29.200]  insecure protocols like FTP. And you know, FTP is an insecure protocol and if attacker
[07:29.200 --> 07:39.020]  there is an environment can sniff and can see username, password, and others in the traffic.
[07:40.200 --> 07:45.260]  After all of them, I took control of the robots by capturing the information of the server
[07:45.260 --> 07:55.560]  where the robots were updated. This is now a zombie robot network. We can do anything
[07:55.560 --> 08:07.350]  on the robots and we can control. This is the second story about the smart scooter.
[08:08.030 --> 08:13.510]  And I can say about this product, it's a widget
[08:15.250 --> 08:22.230]  used for transportation purpose. It has a feature that can be targeted such as
[08:22.850 --> 08:31.030]  smart lock, mobile application, developer, and other ones. And we will talk about it.
[08:31.030 --> 08:41.290]  And this smart scooter is generally used for short distance transportation like
[08:41.730 --> 08:55.250]  campus of the university. And I also saw some people use it to carry household items in Turkey.
[08:57.210 --> 09:04.770]  When we look at this product, we found that there are basically four different attack points.
[09:04.770 --> 09:14.210]  The most important of this attack point is, of course, the human factor and is ignorant in most research.
[09:17.040 --> 09:23.460]  Here is the mobile application. There are many functions that can be used as an attack vector
[09:23.460 --> 09:29.040]  in this mobile app. And in general, every electrical and smart scooter also
[09:29.600 --> 09:40.180]  solve the same function like reserve. But, you know, you can reserve your scooter, you can
[09:42.800 --> 09:52.620]  start ringing function, and you can log in, register, reset, you know. And this mobile application
[09:53.920 --> 10:04.480]  it could be an APK file or API file, you know. And this is singing function.
[10:05.020 --> 10:13.920]  And at the same time, you can light the device constantly so people around you understand that
[10:13.920 --> 10:22.940]  someone else found it first. In our study, we have seen that this function can only be triggered
[10:22.940 --> 10:30.710]  without authorization by the QR code number on this device. We can watch this video.
[10:34.170 --> 10:44.550]  And we captured mobile application traffic for ringing function. And when delayed
[10:45.250 --> 10:52.970]  an authorization header from the request, we saw we can
[10:53.970 --> 11:00.590]  repeat every time this function, not limited, not anything for secure.
[11:07.560 --> 11:16.460]  And when I analyzed the mobile apps for two different products of the manufacturer, I saw
[11:16.920 --> 11:26.000]  that they used the same ISK value as hard-coded. And as you see in the presentation screen.
[11:27.200 --> 11:32.680]  Another weak point is again from within the mobile application, hosting hard-coded information on
[11:32.680 --> 11:39.720]  mobile application is a common problem. Here, I saw that the secret password information was left
[11:39.720 --> 11:46.160]  statically in mobile application. And when you analyze any mobile application related with the
[11:46.160 --> 11:58.460]  smart scooter, you can find the same bug. So in a mobile application penetration testing related
[11:58.460 --> 12:06.920]  smart hardware, you should check some static information. You can find a lot of hard-coded
[12:06.920 --> 12:17.860]  information like super password, ISK value. The main weakness here is the human and the devices
[12:17.860 --> 12:25.480]  that he uses. Therefore, we can expand the attack surface by asking the following question for
[12:25.480 --> 12:36.780]  developer. Computer connected any Wi-Fi? Connected any USB? He opening every email and download file
[12:37.480 --> 12:47.140]  or run any file? Operation system is updated? Mobile phone of the developer is jailbreak or rooted?
[12:48.200 --> 12:54.000]  After this question, we can launch a social engineering attack or hack the wireless network
[12:54.000 --> 13:01.160]  the person is using. In our research, we saw that there is a weakness here. The developers are very
[13:01.160 --> 13:12.360]  careless. And this is smart lock user lock and unlock the smart electrical scooter.
[13:12.360 --> 13:17.980]  It usually has a QR code on it and has multiple energy communication.
[13:18.780 --> 13:24.800]  It is also the main point associated with the mobile application. The most dangerous point here
[13:25.240 --> 13:33.960]  is the QR code which does not directly harm the smart scooter vehicle. But we have seen
[13:33.960 --> 13:42.660]  that it is an attack point for users indirectly. Think like that. You can try to install malware
[13:43.440 --> 13:50.600]  on the phone with the fake QR code or redirect users to phishing page with the fake QR code on
[13:50.600 --> 14:08.830]  the smart scooter. And this story about the fifth smart lock, we want to tell you about it in no time.
[14:15.140 --> 14:22.540]  We can say about this target, this smart lock, it has targeted points such as mobile application,
[14:22.540 --> 14:28.580]  web service, internet connection, bluetooth low energy communication, firmware and hardware.
[14:29.260 --> 14:40.340]  All of them are attack vectors for us, for our research. And this smart lock
[14:40.340 --> 14:54.260]  it could be used in hospital, home, in the smart scooter and you know and others.
[14:56.300 --> 15:01.780]  There are a lot of weakness here in the smart lock, especially if you are using cloud-based
[15:01.780 --> 15:08.080]  devices, using your home wireless network, you will lose communication with your smart device,
[15:08.600 --> 15:13.980]  Wi-Fi does attack. Another point is the wrong authorization may
[15:15.880 --> 15:21.340]  tough the mobile application so an attacker can control your locks.
[15:23.220 --> 15:27.720]  The weakness of the product is related to the web service
[15:27.720 --> 15:33.960]  that the mobile application communicates with. As you can see, there are many related points
[15:34.920 --> 15:44.540]  and in the Knock Lock API, bind and unbind function is vulnerable,
[15:44.540 --> 15:54.300]  related with broken authentication. Attacker can bind or unbind, can use bind and unbind function
[15:54.300 --> 15:59.780]  without any security
[16:04.180 --> 16:14.440]  restriction, you know. Finally, we have seen that other users' profile information can be
[16:14.440 --> 16:23.360]  updated without authorization in Knock Lock API. And thanks a lot to Ruchal Labs for their support
[16:23.360 --> 16:25.920]  and thank you for listening to us.
